000019330 - Use ACE/Server RADIUS to control enable access to Cisco Router

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000019330
Applies ToRSA ACE/Server
Cisco Router
IssueUse ACE/Server RADIUS to control enable access to Cisco Router
Not able to give enable access privileges to users authenticating via RADIUS
CauseThe proper attributes have not been configured in the users profile on ACE/Server
ResolutionOn the ACE/Server set the service-type (attribute 6) value in the users profile to login (or administrative-user). With just that setup you get privilege based on login or administrative-user, defined in the profile, of 1 for user or 15 for administrative-user. Adding the 9,1 av-pair allows you to set the permission of the user regardless of what the service-type value is set to, so for example if I have a user profile defined the Service-Type (attribute 6) set to login and 9,1 av-pair set to shell:priv-lvl=15 then the user gets enable privilege.  The service-type must be defined in order for anything to work with aaa auth exec defined in the cisco config.

This configuration would be enabled using this command on the router:

 aaa authorization exec default radius

On the ACE/Server administration interface:
Profile--> Add Profile
Name the profile appropriately
Add the attribute(s):
1. Service-Type
        This attribute can be set to login (Regular User) or administrative-user
2. For further granularity of enable privileges add:
        Set the value to: 9 1 "shell:priv-lvl=15" (the 15 can range from 1 to 15 depending on your router enable privilege config)
Legacy Article IDa7896